...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\"	transcript compatibility for postscript use.
...\"
...\"	synopsis:  .P! <file.ps>
...\"
.de P!
\\&.
.fl			\" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl			\" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u	\" move below the image
..
.de pF
.ie     \\*(f1 .ds f1 \\n(.f
.el .ie \\*(f2 .ds f2 \\n(.f
.el .ie \\*(f3 .ds f3 \\n(.f
.el .ie \\*(f4 .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie     !\\*(f4 \{\
.	ft \\*(f4
.	ds f4\"
'	br \}
.el .ie !\\*(f3 \{\
.	ft \\*(f3
.	ds f3\"
'	br \}
.el .ie !\\*(f2 \{\
.	ft \\*(f2
.	ds f2\"
'	br \}
.el .ie !\\*(f1 \{\
.	ft \\*(f1
.	ds f1\"
'	br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n 
.TH "\fBflow-dscan\fP" "1"
.SH "NAME"
\fBflow-dscan\fP \(em Detect scanning and other suspicious network activity\&.
.SH "SYNOPSIS"
.PP
\fBflow-dscan\fP [-bBhlmpwW]  [-d\fI debug_level\fP]  [-D\fI iplist_depth\fP]  [-s\fI state_file\fP]  [-i\fI input_filter\fP]  [-L\fI suppress_list\fP]  [-o\fI output_filter\fP]  [-O\fI excessive_octets\fP]  [-P\fI excessive_flows\fP]  [-S\fI port_scan_trigger\fP]  [-t\fI ager_timeout\fP] 
.SH "DESCRIPTION"
.PP
The \fBflow-dscan\fP utility is used to detect suspicious
activity such as port scanning, host scanning, and flows with 
unusually high octets or packets\&.  A source and destination suppress
list is supported to help prevent false alarms due to hosts such as
nameservers or popular web servers that exchange traffic with a large
number of hosts\&.  Alarms are logged to syslog or stderr\&.  The internal
state of flow-dscan can be saved and loaded to allow for interrupted operation\&.
.PP
\fBflow-dscan\fP will work best if configured to only watch only inbound or outbound
traffic by using the input or output interface filter option\&.
.PP
The host scanner works by counting the length of the destination IP
hash chain\&.  If it goes above 64, then the src is considered to
be scanning\&.
.PP
The port scanner works by keeping a bitmap of the destination port
number < 1024 per destination IP\&.  If it goes above 64, the src is
considered to be port scanning the destination\&.
.PP
When a src has been flagged as scanning it will not be reported again
until the record is aged out and enough flows trigger it again\&.
.PP
A SIGHUP signal will instruct flow-dscan to reload the suppress list\&.
.PP
A SIGUSR1 signal will instruct flow-dscan to dump its internal state\&.
.SH "OPTIONS"
.IP "-b" 10
Do not detach and run in the background\&.  Alerts go to stderr\&.
.IP "-B" 10
Do not detach and run in the background\&.  Alerts go to syslog\&.
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-D\fI iplist_depth\fP" 10
Depth of IP host list for detecting host scanning\&.
.IP "-h" 10
Display help\&.
.IP "-i\fI input_filter\fP" 10
Input interface filter list\&.
.IP "-I\fI output_filter\fP" 10
Output interface filter list\&.
.IP "-l" 10
Load state from \fB/var/tmp/dscan\&.state\fP or the filename
specified with -s\&.
.IP "-L\fI suppress_list\fP" 10
Basename of suppress files\&.  There are two suppress files for input and
output traffic\&.  The suppress file syntax is
.IP "" 10
IP_address protocol source_port destination_port
.IP "" 10
A \&'-\&' can be used as a wildcard in the protocol, source_port,
and destination_port fields\&.  Only a single protocol, source_port, and
destination_port is supported per IP address\&.
.IP "-m" 10
Multicast address filter\&.  Use to ignore multicast addresses\&.
.IP "-O\fI excessive_octets\fP" 10
Trigger an alert if a flow is processed with the octets field exceeding
\fIexcessive_octets\fP\&.
.IP "-p" 10
Dump state to \fB/var/tmp/dscan\&.state\fP or the filename
specified with -s\&.
.IP "-P\fI excessive_packets\fP" 10
Trigger an alert if a flow is processed with the packets field exceeding
\fIexcessive_packets\fP\&.
.IP "-s\fI statefile\fP" 10
State filename\&.  Defaults to \fB/var/tmp/dscan\&.state\fP
.IP "-S\fI port_scan_trigger\fP" 10
Number of ports a IP address must have used to be considered scanning\&.
.IP "-t\fI ager_timeout\fP" 10
How long to keep flows around\&.  Default to 90000\&.  This is measured in
flows processed\&.
.IP "-T\fI excessive_time\fP" 10
Trigger an alert if a flow is processed with the End-Start field exceeding
\fIexcessive_time\fP\&.
.IP "-w" 10
Filter (ignore) candidate inbound www traffic, ie IP protocol 6, source port
80, and destination port > 1023\&.
.IP "-W" 10
Filter (ignore) candidate outbound www traffic, ie IP protocol 6, destination
port 80, and source  port > 1023\&.
.SH "EXAMPLES"
.PP
In a topology where 25 is the only output interface run flow-dscan over
the data in \fB/flows/krc4\fP\&.  Ignore www and multicast
traffic, store the internal state in
\fBdscan\&.statefile\fP on exit\&.  Use empty suppress list
files \fBdscan\&.suppress\&.src\fP and
\fBdscan\&.suppress\&.dst\fP\&.  The output produced by flow-dscan
typically must be manually inspected by using flow-filter and flow-print\&.
Many of the alerts will be false until the suppress lists are populated
for the local environment\&.
.PP
  \fBflow-cat /flows/krc4 | flow-dscan -I25 -b -m -s dscan\&.statefile -p -W\fP
.SH "BUGS"
.PP
The ager should automatically become more aggressive when a low memory
condition exists\&.

There is no upper limit on the number of records that can be allocated\&.  If
the ager is not running often enough the host will be run out of memory\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Sat 08 Jun 2002, 23:41
